Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
FHEW: Homomorphic Encryption Bootstrappingin less than a Second1
Leo Ducas2 Daniele Micciancio
UC San Diego
Charles River Crypto Day, April 2015
1To appear in Eurocrypt 20152Now at CWI
1 / 29
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
2 / 29
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
3 / 29
The evolution of FHE
Fully Homomorphic Encryption has seen drastic changes sinceGentry’s first proposal:
I [Rivest,Adleman,Dertouzos’78]: Open problem
I [Gentry’09]: ideal lattices, sparse subset-sum, squashing, etc.
I [Gentry,Halevi’11],[Brakerski,Vaikuntanathan’11]: no squash
I [Brakerski,Vaikuntanathan’11]: Subexponential LWE
I [Brakerski’12],[Alperin-Sheriff,Peiert’14]: (Polynomial) LWE
I Many more works improving efficiency, etc.
Still, all schemes have a common ingredient:
Key technique
Gentry’s FHE bootstrapping
4 / 29
The evolution of FHE
Fully Homomorphic Encryption has seen drastic changes sinceGentry’s first proposal:
I [Rivest,Adleman,Dertouzos’78]: Open problem
I [Gentry’09]: ideal lattices, sparse subset-sum, squashing, etc.
I [Gentry,Halevi’11],[Brakerski,Vaikuntanathan’11]: no squash
I [Brakerski,Vaikuntanathan’11]: Subexponential LWE
I [Brakerski’12],[Alperin-Sheriff,Peiert’14]: (Polynomial) LWE
I Many more works improving efficiency, etc.
Still, all schemes have a common ingredient:
Key technique
Gentry’s FHE bootstrapping
4 / 29
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
Contributions
Question
How fast can we refresh for a single ciphertext ?
We give a proof of concept solution in 0.6 seconds:amortized cost comparable to [HElib], but without the delay...Two new techniques:
I a new, cheap NAND gate
I a simpler refreshing procedure using ring structure
8 / 29
Contributions
Question
How fast can we refresh for a single ciphertext ?
We give a proof of concept solution in 0.6 seconds:amortized cost comparable to [HElib], but without the delay...Two new techniques:
I a new, cheap NAND gate
I a simpler refreshing procedure using ring structure
8 / 29
The new NAND gate
Base: Start from LWE encryption with message space: Zt , t > 2.
Idea: Different message space for input (t = 4) and output(t = 2).
Advantages:
I Cost of computing Homomorphic NAND is negligible (similarto a single private key cryptographic operation.)
I Excellent noise growth: ε grows only by a small constantfactor.
I Substantially simplifies the task faced by the Refreshingprocedure.
9 / 29
The new NAND gate
Base: Start from LWE encryption with message space: Zt , t > 2.
Idea: Different message space for input (t = 4) and output(t = 2).
Advantages:
I Cost of computing Homomorphic NAND is negligible (similarto a single private key cryptographic operation.)
I Excellent noise growth: ε grows only by a small constantfactor.
I Substantially simplifies the task faced by the Refreshingprocedure.
9 / 29
A simpler refreshing procedure
Base: General approach of [Alperin-Sheriff,Peikert’14] + Ringvariant of [Gentry,Sahai,Waters’13] Homomorphic encryption.
Idea: Implement arithmetic modq in the exponent
Improvement over [AP14]:
I Theoretical speed-up of Ω(log3 q)
I Smaller final error.
Combined with the problem simpification brought by our cheapNAND computation, this results in bootstrapping cost ≈ 0.6second, at estimated ≈100-bit security level.
10 / 29
A simpler refreshing procedure
Base: General approach of [Alperin-Sheriff,Peikert’14] + Ringvariant of [Gentry,Sahai,Waters’13] Homomorphic encryption.
Idea: Implement arithmetic modq in the exponent
Improvement over [AP14]:
I Theoretical speed-up of Ω(log3 q)
I Smaller final error.
Combined with the problem simpification brought by our cheapNAND computation, this results in bootstrapping cost ≈ 0.6second, at estimated ≈100-bit security level.
10 / 29
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
11 / 29
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
Homomorphic Operation on LWE ciphertext
Addition/XOR operation as the sum of ciphertexts:
LWEs(m1, e1)× LWEs(m2, e2)→ LWEs(m1 ⊕m2, e1 + e2)
(Traditional) (N)AND operation as the tensor of ciphertexts:
LWEs1(m1, e1)× LWEs2(m2, e2)→ LWEs1⊗s2(m1 ∧m2, e1 · e2)
⇒ FHE boostrapping requires strong Refreshing :
LWEs(m, e)→ LWEs(m, e′), e ′ e.
Techniques: Key Switching, Mod Switching, and HomomorphicDecryption.
13 / 29
Homomorphic Operation on LWE ciphertext
Addition/XOR operation as the sum of ciphertexts:
LWEs(m1, e1)× LWEs(m2, e2)→ LWEs(m1 ⊕m2, e1 + e2)
(Traditional) (N)AND operation as the tensor of ciphertexts:
LWEs1(m1, e1)× LWEs2(m2, e2)→ LWEs1⊗s2(m1 ∧m2, e1 · e2)
⇒ FHE boostrapping requires strong Refreshing :
LWEs(m, e)→ LWEs(m, e′), e ′ e.
Techniques: Key Switching, Mod Switching, and HomomorphicDecryption.
13 / 29
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e
m · q4 + e m · q4 + e
1
0
12
30
12
30
binary messages
Messages in Z4 Smaller error
LWE2s (m, q/4)
LWE4s (m, q/8) LWE4
s (m, q/16)
14 / 29
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e m · q4 + e
m · q4 + e
1
01
230
12
30
binary messages Messages in Z4
Smaller error
LWE2s (m, q/4) LWE4
s (m, q/8)
LWE4s (m, q/16)
14 / 29
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e m · q4 + e m · q4 + e
1
01
230
12
30
binary messages Messages in Z4 Smaller errorLWE2
s (m, q/4) LWE4s (m, q/8) LWE4
s (m, q/16)
14 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
= 12
30
0
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
= 12
30
0
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
30
0
1
1
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
1
1
0
q8
0
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
11
0
q8
0
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)
To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
17 / 29
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Decs(a, b):
acc ← b
for i = 1 to n:
acc ← acc − ai · si mod q
Return msb(acc)
18 / 29
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Homomorphic decryption given E ′(s) = [E (a · si) | i , a]:
E (acc)← b
for i = 1 to n:
E (acc)← E (acc)− E (ai · si ) mod q
Return LWE(msb(acc))
ACC = E (acc) holds an encrypted integer acc ∈ Zq
The accumulator ACC should support the following operations:
I Initialization: ACC ← bI Addition ACC ← ACC + c of a fresh ciphertext c = E (a · si )I Extract encrypted MSB: ACC → LWE (msb(acc))
18 / 29
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Homomorphic decryption given E ′(s) = [E (a · si) | i , a]:
E (acc)← b
for i = 1 to n:
E (acc)← E (acc)− E (ai · si ) mod q
Return LWE(msb(acc))
ACC = E (acc) holds an encrypted integer acc ∈ Zq
The accumulator ACC should support the following operations:
I Initialization: ACC ← bI Addition ACC ← ACC + c of a fresh ciphertext c = E (a · si )I Extract encrypted MSB: ACC → LWE (msb(acc))
18 / 29
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1
I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
Ring version of [GSW13]
Q = 2k , Gadget matrix: G = [I, 2I, 4I . . . 2k−1I]t ∈ Zn+1×(n+1)kQ .
Es(m) = [A,As + e] + m · G
Decs: extract an LWEs ciphertext (last row) and decrypt.Supports Add. and Mult. for small messages m ∈ −1, 0, 1.
Cyclotomic ring R = Z[X ]/(XN + 1), 2N = q is a power of 2.
Generalized Gadget matrix: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ .
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Supports addition for all message m ∈ Zq.
20 / 29
Ring version of [GSW13]
Q = 2k , Gadget matrix: G = [I, 2I, 4I . . . 2k−1I]t ∈ Zn+1×(n+1)kQ .
Es(m) = [A,As + e] + m · G
Decs: extract an LWEs ciphertext (last row) and decrypt.Supports Add. and Mult. for small messages m ∈ −1, 0, 1.
Cyclotomic ring R = Z[X ]/(XN + 1), 2N = q is a power of 2.
Generalized Gadget matrix: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ .
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Supports addition for all message m ∈ Zq.
20 / 29
The group of roots of unity and msb
m 0 1 . . . q2 − 1 q
2q2 + 1 . . . q − 1
Xm 1 X . . . XN−1 −1 −X . . . −XN−1
xm
10...0
01...0
. . .
00...1
−10...0
0−1
...0
. . .
00...−1
〈1 , xm〉 1 1 . . . 1 −1 −1 . . . −1
Take the vector representation of Xm
Sum all the coordinates
〈1 , xm〉+ 1
2=
(−1)msb(m) + 1
2= msb(m).
21 / 29
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]
Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
Improvements
Improvement over the bootstrapping of [AP14]:
I Generic Ω(n) speed-up from Ring structure
I An extra Ω(log3 q) speed-up by embedding
I Error after bootstrapping reduced by O(√n log n).
In addition to our new NAND gate, implementation becomesreasonable.
23 / 29
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
24 / 29
The ciphertext cycle
LWE4/qn (m1, q/16)
LWE4/qn (m2, q/16)
NAND LWE2/qn (m, q/4)
LWE4/QN
(m, σO(N3/2)
)ACC operations
and msbTest
LWE4/Qn
(m, σO(N3/2)
)Key Switch
LWE4/qs1 (m, q/16)
Modulus Switch
25 / 29
Parameter Proposal
Parameters.LWE parameters: n = 410 q = 512.Ring-GSW parameters: N = 1024 Q = 232 .Gadget Matrix: Q/8 · [I, 211 · I, 222 · I]Key Size.Bootstrapping Key Size 846 MBKey Switching Key Size: +135 MB
6 1GB
Running time.Per NAND gate: 39, 360 FFTs ≈ 0.4 secSecurity.Security of the LWE scheme δ1 = 1.0060Security of the Ring-GSW scheme δ2 = 1.0060
26 / 29
Proof of Concept Implementation
I Coded in 4 days·manroom for implementation level optimization.
I Reasonably concise: 6 600 lines of C++ code[HElib]: ≈ 20, 000 lines
I Using FFT3 over C at double precisionin dimension 2048 to obtain negacyclic-FFT.
potentially slower than 32-bits NTT in dimension 1024.
Result: Homomorphic NAND & refreshing in 0.61 secondson a single standard 64-bit core at 3Ghz.
Comparable to the amortized cost of bootstrapping in [HElib].
3FFTW library: The Fastest Fourier Transform in the West27 / 29
Beyond binary gates
Replace msb by other membership testing function. Obtain :
I moderate fan-in symmetric gatesmajority, threshold gates, neurons
I multiple outputs gates
Figure: Full-adder in one refresh (3-inputs, 2-outputs)
01
23
4
50
1
23
4
5
m1 + m2 + m3 ∈ 1, 3, 5 m1 + m2 + m3 ∈ 2, 3, 4m1 ⊕m2 ⊕m3 carry(m1,m2,m3)
28 / 29
The Next Steps
I Generalize the construction to arbitrary cyclotomic:we are restricted to powers of 2
I Exploit previous work using tensor-CRT for coprimes p, q:
Roots of unity(Z[X ]/Φp(X )
)' Zp
Roots of unity(Z[X ]/Φp(X )⊗ Z[X ]/Φq(X )
)' Zp × Zq ' Zpq
I Obtain a full S-box for the price of 1 or 2 Refresh operation.
Thank You
29 / 29
The Next Steps
I Generalize the construction to arbitrary cyclotomic:we are restricted to powers of 2
I Exploit previous work using tensor-CRT for coprimes p, q:
Roots of unity(Z[X ]/Φp(X )
)' Zp
Roots of unity(Z[X ]/Φp(X )⊗ Z[X ]/Φq(X )
)' Zp × Zq ' Zpq
I Obtain a full S-box for the price of 1 or 2 Refresh operation.
Thank You
29 / 29